iOS and Android users at risk from FREAK security flaw

A gaping, decades-old security hole could have allowed Apple and Google users to be freely spied on and have their personal information stolen, according to security researchers.

The flaw, which has appropriately been named FREAK (Factoring RSA-EXPORT Keys), is a result of an antiquated US government policy which prevented the export of encryption keys over 512 bits. The policy was overturned in the 1990’s, and many security savvy sites and OEM’s have since corrected the reliance on these sub-standard keys, but many companies, including Apple, Google and, ironically, the NSA, have not, leaving them wide open to cyberattack.

Apple is said to be preparing a fix for desktop and mobile versions of its Safari browser and while Google’s Chrome browser isn’t affected, the browser which ships with vanilla versions of Android is. Google has since patched the hole and issued the fix but it is now down to hardware manufacturers to push it out to consumers.

Much to David Cameron’s chagrin, 1024 bit encryption is now the norm, protecting our browsers from invasion by cybercriminals intent on nicking our online banking info and other sensitive details.

Mr Cameron’s calls for encryption to be banned – which were roundly mocked at the time – now seem even more ludicrous. The UK is the most internet-based major economy in the world; the internet contributes almost 10% to the country’s economy and by 2016 it will be worth £225 billion to the country. That makes security a number one concern for most British businesses and consumers, who individually spend more than £2000 a year online.

If you’re wondering what you can do to protect yourself, try not to worry. While it’s largely a case of shutting the stable door long after the horse has bolted – and in this case, jetted off to Torremolinos to retire – fixes are being worked on and will be issued soon.

Until you can be sure a patch for FREAK has been issued to your browser, you should refrain from using it. While Apple and Google have both fixed the vulnerability, neither have widely issued the patch, so you should err on the side of caution and use third-party browsers instead.

For instance, Google’s Chrome app is available for both iOS and Android and will let you surf safely until you receive the fix.